BUSINESS CONTINUITY. Audit Report No. ABC0109. March 31, 2009

Transcription

1 BUSINESS CONTINUITY Audit Report No. ABC0109 March 31, 2009 MENTAL HEALTH MENTAL RETARDATION AUTHORITY OF HARRIS COUNTY Report

2 AUDITOR S REPORT Business Continuity / Disaster Recovery / Contingency Emergency Plan Harris County, Texas Report March 31, 2009 Henry E. Webb, CFE or

3 MENTAL HEALTH MENTAL RETARDATION AUTHORITY OF HARRIS COUNTY March 31, 2009 Steven B. Schnee, Ph.D. Executive Director MHMRA of Harris County 7011 SW Freeway Houston, TX RE: (Report No. ABC0109) BACKGROUND In the event of a significant business interruption the Mental Health and Mental Retardation Authority of Harris County (MHMRA) has policies and procedures in place to help ensure a successful resumption and continuation of operations in the event of a disaster. The addresses a variety of disaster scenarios, including proper planning and alternate procedures in the event of business interruption. Key personnel have been assigned specific tasks and responsibilities in order to properly deal with Disaster Recovery and Business Continuity. The Agency s goal is to ensure the safety of staff, the security of data and the ability to provide quality services to their clients, in a manner consistent with established expectations regardless of the physical challenges MHMRA may face. MHMRA businesses depend heavily on technology and automated systems, and their disruption for even a few days could cause severe financial loss. The continued operations of the Agency depend on management s awareness of potential disasters, their ability to develop a plan to minimize disruptions of critical functions and the capability to recover operations expediently and successfully. MHMRA s Disaster Recovery Plan is a comprehensive statement of consistent actions to be taken before, during and after a disaster. The plan has been clearly documented and tested to ensure the continuity of operations and availability of critical resources in the event of a disaster. The primary objective of MHMRA s disaster recovery planning is to protect the organization in the event that all or part of its operations, programs, and/or computer services is rendered unusable. Preparedness has been the key. The planning process has minimized the disruption of operat ions to ensure a level of organizational stability and an orderly recovery after a disaster. The Agency s objectives of disaster recovery planning include: Providing a sense of security Minimizing risk of delays Guaranteeing the reliability of systems I

4 Providing a standard for testing the plan Minimizing decision-making during a disaster Organizational Preparedness 1. Obtain Top Management Commitment Top management has supported and been involved in the development of the disaster recovery planning process. Management has been responsible for coordinating the disaster recovery plan and ensuring its effectiveness within the Agency. Adequate time and resources have been committed to the development of an effective plan. Resources included both financial considerations and the effort of all personnel involved. 2. Establish a Command Staff The planning committee was appointed to oversee the development and implementation of the plan. This committee included representatives from all functional areas of the organization. Key committee members included the Risk Manager, Quality Management, Nursing, and Information Technology personnel. The committee defined the scope of the plan. 3. Perform a Risk Assessment The planning committee prepared a risk analysis and business impact analysis that included a range of possible disasters, including natural, technical and human threats. Each functional area of the organization was analyzed to determine the potential consequence and impact associated with several disaster scenarios. The risk assessment process evaluated the safety of critical documents and vital records. Traditionally, fire has posed the greatest threat to the Agency as well as weather (due to location). Intentional human destruction, however, has also been considered. 4. Establish Priorities for Processing and Operations The critical needs of each department within the organization has been carefully evaluated in such areas as: Functional operations Key personnel Information Processing Systems Service Documentation Vital records Policies and procedures Processing and operations were analyzed to determine the maximum amount of time that the department and organization could operate without each critical system. Critical needs were defined as the necessary procedures and equipment required to continue operations should a department, computer center, main facility or a combination of these be destroyed or become inaccessible. 5. Determine Recovery Strategies The most practical alternatives for processing in case of a disaster were researched and evaluated. Some of the areas considered important aspects of the organization that were taken into consideration were: Facilities Hardware II

5 Software Communications Data files Client services User operations End-user systems Other processing operations Written agreements for specific needs have been prepared, including the following special considerations: Fuel Contracts Security procedures Notification of system changes Hours of operation Specific hardware and other equipment required for processing Personnel requirements Circumstances constituting an emergency 7. Organized and Documented a Written Plan Executive management, as well as the Board of Director s have reviewed and approved MHMRA s Disaster Recovery Plan. Each division within MHMRA of Harris County is also responsible for the development and implementation of a disaster response plan that addresses all components within the division. Each division/component must retain a disaster plan on site with a copy to the Disaster Coordinator. The probability of a disaster occurring within the Agency is highly uncertain. The disaster plan, however, is similar to liability insurance: it provides a certain level of comfort in knowing that if a major catastrophe occurs, it should not result in total financial disaster. Insurance alone is not adequate because it may not compensate for the incalculable loss of business during the interruption. One of the reoccurring themes heard during the audit from staff as to the importance of the Disaster and Emergency Response Plan that MHMRA of Harris County has put in place can be summarized below: Minimizing potential economic loss Decreasing potential exposures Reducing the probability of occurrence Reducing disruptions to operations Ensuring organizational stability Providing an orderly recovery Minimizing insurance premiums Reducing reliance on certain key individuals Protecting the assets of the organization Ensuring the safety of personnel and clients Minimizing decision-making during a disastrous event Minimizing legal liability OBJECTIVES The overall objectives of the audit were to determine whether the department: Managed and used resources in an efficient, effective, and economical manner Administered funds in compliance with applicable laws, regulations, policies, and procedures Implemented internal controls to prevent or detect material errors and irregularities III

6 The specific objectives in this audit were to: Determine if MHMRA policies and procedures (relating to the Center s Disaster and Emergency Response Plan), adequately assured compliance with federal, state, and local laws. Determine if systems of internal controls implemented were adequate to assure that the Agency does not suffer undue economic loss. Evaluate management controls over the administration of the Disaster and Emergency Response Plan SCOPE The scope of the work did not constitute an evaluation of the overall internal control structure of the unit. The examination was designed to evaluate and test compliance with established policy and procedures and to test the internal control over tested areas and material. The audit scope period was for the period ended February 28, Departmental management is responsible for establishing and maintaining a system of internal controls to adequately comply with approved policy and procedures. The objectives of an internal control system are to provide management with reasonable, but not absolute, assurance that assets are safeguarded against loss from unauthorized use or theft, and that transactions are executed in accordance with management s authorization and are properly recorded. Because of inherent limitations in any system of internal accounting control errors or irregularities may occur and not be detected in a timely manner. Also, projection of any evaluation of the system to future periods is subject to the risk that procedures may become inadequate because of changes in conditions, or that the degree of compliance with procedures may deteriorate. The purpose of the audit report is to furnish management independent, objective analyses, recommendations, and information concerning the activities reviewed. The audit report is a tool to help management discern and implement specific improvements. The audit report is not an appraisal or rating of management. Although due professional care in the performance was exercised, this should not be construed to mean that unreported noncompliance or irregularities do not exist. The deterrence of fraud is the responsibility of management. Audit procedures alone, even when carried out with professional care, do not guarantee that fraud will be detected. Specific areas for improvement were addressed in a Minor Issues Memo provided to Management during the Exit Conference. would like to thank management and staff for their cooperation throughout the audit. METHODOLOGY In order to meet the objectives, flowcharted and evaluated controls related to the administration of, as well as reviewed policies and procedures for compliance and completeness. The Center s Disaster and Emergency Response Plan was benchmarked against several Business Continuity Plans. Interviews were conducted with staff members from the following departments: Facilities, Accounting, Purchasing, Contracts, Quality Management, Information Technology, Nursing, Mental Health, Mental Retardation, Transportation, Comprehensive Psychiatric Emergency Program, and other Department personnel as needed. Additional audit tests and procedures were conducted as considered necessary. STATEMENT OF AUDITING STANDARDS The audit was conducted in accordance with generally accepted government auditing standards (GAGAS). Those standards require that plan and perform the audit to afford a reasonable basis for the judgments and conclusions regarding the organization, program, activity, or function under audit. An audit IV

7 also includes assessments of applicable internal controls and compliance with requirements of laws and regulations when necessary to satisfy the audit objectives. An audit also includes assessing the estimates, judgments, and decisions made by Agency management. It is believed that this audit provides a reasonable basis for the findings, conclusions, and recommendations. RESULTS As a result of the audit procedures and interviews conducted, it was determined that departmental compliance with established criteria to adequately administer the Center s Disaster and Emergency Response Plan generally meets Agency requirements. -S- Henry E. Webb CC: Rose Childs, MSW, CSWM, Deputy Director, Mental Health Division Kenneth Collins, LMSW, Deputy Director, Mental Retardation Division Barbara Dawson, MSE, Deputy Director, Comprehensive Psychiatric Emergency Program Division Daryl Knox, MD, Medical Director, Comprehensive Psychiatric Emergency Program Division Sarah Flick, MD, Medical Director, Mental Retardation Services Sylvia Muzquiz, MD, Medical Director, Mental Health Services Jeanne Mayo, MS, JD, General Counsel Alex Lim, MBA, CPA, Chief Financial Officer External Audit Firm Audit Committee: Tom Hamilton, Ph.D. (Chairman) Jane B. Cherry Paige M. Cokinos Charles O. Buckner. CPA Vicki S. Raynold, CPA Bob Borochoff V

8 ATTACHMENT A SUMMARY OF RECOMMENDATIONS March 31, 2009 Unit: Area: Procedural Inherent Risk: Low Control Environment: Well Controlled Overall Risk: Low Moderate Acceptable Moderate High Poorly Controlled High Type of Procedures: Audit Scope: * Using Internal Control Evaluation (ICEs) forms, documented internal controls * Conducted a preliminary survey reviewing applicable policies and procedures, etc. * Interviewed various staff, obtained understanding of management controls * Examined detailed receipts, vouchers, and supporting documentation Priority Rating: Audit Recommendations: Follow-up: As Risk Assessment Warrants Priority Rating 1. Implement immediately (30-90 days) - Serious internal control deficiencies or recommendations to reduce cost, maximize revenues, or improve internal controls that can be easily implemented. 2. Work towards implementing (6-18 months) - Less serious internal control deficiencies or recommendations that can not be implemented immediately because of constraints imposed on the unit (i.e., budgetary, technological constraints). 3. Implement in the future (2-3 years) - Recommendations that should be implemented but that can not be implemented until significant and/or uncontrolled events occur (i.e. legislative changes, buy and install major systems, requires third party cooperation).